Criminal Defense Lawyers

Internal Audit Consulting FCPA Compliance

Last Updated on: 1st June 2025, 05:17 pm

The FCPA Started as Nixon’s Problem in 1977

So the Foreign Corrupt Practices Act – it was never supposed to exist. Back in 1973, when the Watergate special prosecutor was digging through corporate records looking for illegal campaign contributions, they stumbled onto something worse. Lockheed Martin had been paying millions in bribes to Japanese officials to sell aircraft. Then the SEC started investigating, and found over 400 American companies were bribing foreign officials as standard business practice. Congress was mortified. American companies were embarrassing the country internationally, and Nixon’s administration, already drowning in scandal, couldn’t handle another hit. So in 1977, Congress passed the FCPA in a panic. They made it a federal crime for any American company, or company listed on US exchanges to bribe foreign officials. But the interesting part – they also added accounting provisions that nobody paid attention to at the time. Those accounting rules, which require accurate books and records, and internal controls, have put more executives in prison than the actual bribery provisions.

The Department of Justice’s Criminal Division now uses these accounting violations as their primary weapon because they’re easier to prove than actual corruption.

The law sat dormant for decades. Between 1977 and 2000, the DOJ brought maybe two cases a year. Companies treated FCPA compliance like they treated speed limits – technically illegal but everyone did it anyway. That comfortable arrangement ended when the DOJ created a dedicated FCPA unit in 2006, and everything changed. Suddenly, prosecutors who spent their entire careers focusing on foreign bribery started finding violations everywhere they looked. And they were right – the violations were everywhere, companies just hadn’t been caught before.

Your Internal Audit Function is Probably Already Breaking FCPA Rules

Most internal audit departments think they’re helping with FCPA compliance when they’re actually creating evidence for prosecutors.

Internal auditors love to document everything. They write detailed reports about control weaknesses, suspicious transactions, unusual payments to third parties. They create beautiful audit trails showing exactly who knew what and when they knew it. Then they file these reports with senior management and the audit committee, creating a paper trail of corporate knowledge about potential violations. Once your internal audit identifies a potential FCPA issue and reports it up the chain, every executive who receives that report now has knowledge of potential criminal activity. If they don’t immediately stop the conduct and self-report to DOJ, they’ve committed a separate crime. The cover-up becomes worse than the original violation. Your audit committee members, who thought they were providing oversight, suddenly face personal criminal liability for failing to act on audit findings.

We see this pattern constantly. Internal audit finds suspicious payments in Brazil. They report it to the CFO. The CFO tells them to “monitor the situation.”

Six months later, the DOJ shows up with a subpoena.

Now the CFO is facing obstruction charges on top of the original FCPA violations. The audit report that was supposed to demonstrate good governance becomes Exhibit A in the criminal indictment. The SEC’s enforcement division specifically looks for these internal audit reports during investigations because they prove corporate knowledge.

That $800 Million Siemens Fine Changed Everything About Compliance

Before 2008, companies thought FCPA fines were manageable – maybe a few million dollars if you got caught.

Then Siemens.

$800 million for bribing officials in 65 countries over a decade. The fine wasn’t even the worst part. Siemens had to hire an independent compliance monitor for four years who had unlimited access to every document, every email, every executive in the company. That monitor, paid for by Siemens at $100 million per year, essentially ran their compliance function and reported directly to DOJ. Siemens wasn’t killed by the bribes themselves – it was their own internal audit function. Look, Siemens had conducted internal investigations that found widespread corruption. They documented millions in suspicious payments, identified the executives involved, even traced the bribe money through shell companies. But instead of self-reporting to DOJ, they tried to handle it quietly. Fire a few people, implement some new controls, move on.

When a whistleblower eventually went to the SEC, prosecutors found Siemens’ own internal audit reports documenting years of known violations. The company had investigated itself right into an $800 million fine.

The Siemens case created the modern FCPA enforcement playbook. Now prosecutors expect companies to have sophisticated compliance programs with regular risk assessments, detailed third-party due diligence, transaction monitoring, and extensive training. But there’s a trap — having these programs creates documentation that prosecutors will use against you. Not having them is also a crime under the FCPA’s internal controls provisions. Companies are trapped between documenting their own violations or violating the law by not having adequate controls. The DOJ’s own compliance guidance essentially requires companies to create evidence against themselves.

DOJ Uses Your Own Audit Reports as Evidence Against You

Internal investigations create detailed roadmaps for prosecutors. When your internal audit finds potential FCPA violations and you hire outside counsel to investigate, that “privileged” investigation report you think is protected by attorney-client privilege? The DOJ will argue you waived privilege by sharing it with your auditors, your board, your compliance consultants. Even if you maintain privilege, it might not matter. Under the DOJ’s cooperation credit policies, companies that want reduced penalties must waive privilege and turn over their internal investigation materials. So you spend millions on lawyers to investigate yourselves, then hand that investigation to prosecutors who use it to build their case against your executives. You’re literally paying to prosecute yourself. The alternative – not cooperating – means facing penalties that can destroy your company.

The smart companies know this game.

They conduct “investigations” that are really just fact-gathering exercises. They don’t draw legal conclusions, they don’t identify specific violations, they just collect documents and interview witnesses. Then when DOJ comes knocking, they can cooperate by providing facts without handing over a prosecution memo they wrote themselves. But even this strategy is dangerous – prosecutors are getting wise to it and demanding more substantive self-analysis as the price of cooperation credit.

Brazil Operations Create Triple Jeopardy Under Three Different Laws

Running operations in Brazil means you’re subject to three different anti-corruption laws simultaneously – the FCPA, the UK Bribery Act if you have any UK connections, and Brazil’s own Clean Company Act. Each law has different standards, different penalties, different definitions of what constitutes a violation. Conduct that’s legal under Brazilian law might violate the FCPA. Facilitation payments that are excepted under FCPA are criminal under the UK Bribery Act. A compliance program that satisfies US prosecutors might be inadequate under Brazilian standards. Prosecutors from all three countries share information now. Brazil’s Controladoria-Geral da União has cooperation agreements with both DOJ and the UK’s Serious Fraud Office. When one country starts investigating, they all start investigating. Your Brazilian subsidiary’s questionable payment to expedite permits doesn’t just risk FCPA charges – it triggers parallel investigations in multiple jurisdictions with prosecutors competing to see who can extract the biggest penalty.

We represented a client whose Brazilian sales agent made payments that were arguably legal consulting fees under Brazilian law.

The DOJ said they were bribes.

The UK SFO said even if they were legal fees, the failure to prevent them violated the Bribery Act.

Brazil’s CGU said the paperwork wasn’t properly documented under their Clean Company Act.

Three countries, three different theories of prosecution, same underlying conduct. The combined legal fees defending investigations in three countries exceeded the original questionable payments by a factor of 100. And that was before any fines or penalties.

Third-Party Vendors are Federal Prosecutors’ Favorite Target

General counsels know – your third-party vendors are probably paying bribes.

That sales agent in Nigeria who somehow gets meetings with government officials? The logistics company in Vietnam that never has customs delays? The consultant in Mexico who “knows everyone”? They’re not magicians. They’re paying people, and under the FCPA, you’re responsible for every bribe they pay on your behalf. The DOJ loves third-party cases because they’re easy to prove. They don’t need to show you knew about specific bribes. They just need to show you should have known – that’s called willful blindness, or conscious avoidance. Red flags you ignored, due diligence you didn’t perform, suspicious success you didn’t question. Prosecutors will go through your emails finding every joke about your vendor “working miracles” or “making problems disappear” and present them as evidence you knew bribes were being paid.

The standard defense – “we had anti-corruption clauses in our contracts” – is worthless.

DOJ considers those clauses evidence you knew corruption was a risk but failed to actually monitor for it. The right to audit that you never exercised becomes evidence of willful blindness. The due diligence questionnaire your vendor filled out saying they don’t pay bribes? Prosecutors will argue you should have known they were lying. After all, what corrupt vendor admits to corruption on a form? The Stanford FCPA Clearinghouse data shows that over 90% of FCPA cases involve third-party intermediaries.

Your Accounting Controls Determine Your Prison Sentence

Everyone focuses on the FCPA’s anti-bribery provisions, but the accounting provisions are what actually send executives to prison. You don’t need to prove a single bribe was paid. If your books and records aren’t accurate, if your internal controls are inadequate, that’s a felony carrying up to 20 years in prison. “Accurate” means accurately reflecting the true nature of transactions. That consulting fee that was really a bribe? Recording it as a consulting fee is a books and records violation even if no prosecutor can prove bribery. The materiality threshold that accountants love talking about doesn’t protect you in criminal cases. DOJ’s position is that any bribe, no matter how small, is qualitatively material because it involves criminal conduct. That $10,000 facilitation payment your subsidiary made to clear customs? It might be immaterial to your billion-dollar company’s financial statements, but it’s a federal crime if not accurately recorded. And remember, the CFO who signs those financial statements is personally certifying their accuracy. When bribes are discovered years later, that certification becomes a false statement to the government – another felony.

The accounting provisions also create a documentation trap.

Good internal controls require documentation. Documentation creates evidence. Evidence gets executives convicted.

We’ve seen cases where companies had excellent controls that documented every suspicious transaction, flagged every unusual payment, escalated every concern. When prosecutors arrived, they had a perfectly organized trail of evidence showing exactly which executives knew about problems and failed to fix them. The better your controls, the clearer the evidence of who should have acted and didn’t.

Building an Audit Program That Satisfies Federal Monitors

If you’re reading this because your company is already under investigation, or worse, negotiating a deferred prosecution agreement, you need to understand what’s coming.

The compliance monitor that DOJ will force you to accept isn’t there to help you. They’re there to find more violations.

Every monitorship we’ve seen results in the discovery of “new” violations that extend the monitorship and result in additional penalties. It’s a self-perpetuating system where the monitor has financial incentives to find problems that justify their continued engagement. Monitors expect to see specific audit procedures that go far beyond normal internal audit practices. Transaction testing that samples 100% of high-risk transactions, not just a statistical sample. Forensic data analytics that flag unusual patterns even if they’re not violations. Employee interviews that probe for “tone at the top” issues and cultural problems. Detailed reviews of every declined business opportunity to ensure you’re not avoiding corruption by avoiding business. The monitor wants to see you spending millions on compliance to demonstrate you’re taking this seriously. Companies often implement these intensive audit procedures, find historical violations, and then face the impossible choice of self-reporting and facing more penalties or hiding them and risking obstruction charges.

The Gibson Dunn FCPA Year-End Update shows that companies under monitorship pay average additional penalties of $50 million when “new” violations are discovered.

That’s on top of the $20-30 million the monitor costs over three years.

The only winning move is to build an audit program that finds problems before the government does, but knows when to stop digging. You need plausible explanations for every suspicious transaction, credible defenses for every control weakness, reasonable justifications for every decision. This isn’t about being compliant – it’s about being defensible. Because in FCPA enforcement, the difference between a warning letter and a criminal indictment often comes down to how well you can explain what your internal audit already found.

If your company operates internationally and you’re worried about FCPA exposure, you need lawyers who understand both compliance and criminal defense. At Spodek Law Group, we’ve helped executives navigate DOJ investigations, negotiate deferred prosecution agreements, and build defensible compliance programs. We know what prosecutors look for because we’ve been on both sides of these cases. Contact us today for a confidential consultation about your FCPA risks.